From niels.heinen@ubizen.com Wed May 23 07:25:39 2001
Date: Wed, 23 May 2001 09:34:25 +0200
From: Niels Heinen
To: project@honeynet.org
Subject: Scan of the month submission.
Hi Lance,
Here is my submission =)Thanks for the fun and it was very interesting !
Regards,
Niels Heinen
[ Part 1.2: "Attached Text" ]
1.Show step by step how you identify and recover the deleted rootkit
from the / partition.
I took a fresh installed linux box to do the analysis on. After
downloading the partition on this system I first installed lsof (unix
diagnostic tool) which is recommended in the TCT readme files. Then I
installed the Coroners Toolkit in order to recover the files from the
partition and did the following steps:
- Unpacked the partition tar -zxvf honeynet.tar.gz
- Mounted this partition mount -o loop /tmp/honeynet/honeynetpot.hda8.dd /mnt/honey/
- Execute grave-robber script; grave-robber -v /mnt/honey/
- unmounted the partition umount /tmp/honeynet/honeynetpot.hda8.dd
- Executed unrm unrm /tmp/honeynet/honeynetpot.hda8.dd > /tmp/unrm.output
- Executed lazarus lazarus -h /tmp/unrm.output
Lazarus reconstructed the data and created an html (-h) output. I started
lazarus right before going home from work and the next morning it was
finished. And so that evening I continued with analysing the output
generated by lazarus.
2.What files make up the deleted rootkit?
The following files where deleted from the root directory:
A shell script that installed the rootkit. This shell script can be
used later on to locate other files installed by the rootkit. After
all backdoor files are at place, the shell script creates the file
"computer" that contained system information. This file is mailed to
two email accounts: last@linuxmail.org and bidi_damm@yahoo.com. Below
is the email I recovered from the disk:
-------------- snip email -------------
To: last@linuxmail.org
Subject: placinte
* Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586
unknown
* Hostname : asdf1
* IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
inet addr:172.16.1.108 Bcast:172.16.1.255
Mask:255.255.255.0
* Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00
* Cpu Vendor ID : vendor_id : GenuineIntel
* Cpu Model : model : 4 model name : Pentium MMX
* Cpu Speed: cpu MHz : 200.457171
* Bogomips: bogomips : 399.77
* Spatiu Liber: Filesystem Size Used Avail Use% Mounted on
/dev/hda8 251M 33M 205M 14% /
/dev/hda1 23M 2.4M 19M 11% /boot
/dev/hda6 1.6G 2.1M 1.5G 0% /home
/dev/hda5 1.6G 367M 1.2G 23% /usr
/dev/hda7 251M 5.3M 232M 2% /var
-------------- snip email -------------
The rootkit replaces ifconfig, netstat, ps and top with fixed versions
in order to limit the chance of being detected. It also copies the file
mkxfs to /usr/bin.
Two files are created: /dev/rpm and /dev/last. These files contain
configuration information that are used by the above described programs
to hide processes, backdoors and IP-addresses:
Content of /dev/last:
1 193.231.139
1 213.154.137
1 193.254.34
3 48744
3 3666
3 31221
3 22546
4 48744
4 2222
As you can see this file contains 3 subnets and several ports that
should be hidden.
Content of /dev/rpm:
3 sl2
3 sshdu
3 linsniffer
3 smurf
3 slice
3 mech
3 muh
3 bnc
3 psybnc
These are the names of the processes that have to be hidden by the
replaced binaries.
After doing this the rootkit is installed at 2 positions:
First in /dev/ida/.drag-on/ and then in /dev/ida/.. / the files linsniffer
, logclear , sense , sl2 , mkxfs , s , ssh_host_key , ssh_random_seed
are then copied in those directories.
Now again it replaces a program to hide its existence. The program
targetted is lsattr which is a utility that can list file attributes on a
Linux second extended file system. The file is replaced with a backdoor
that listens on port 53. This backdoor gets executed at startup because
the script adds the following line to rc.sysinit:
/usr/bin/lsattr -t1 -X53 -p
In the end the rootkit looks for the existence of several cgi-bin
directories. If it finds some, the rootkit will copy a CGI backdoor
(last.cgi) to these directories and will then clean up by deleting:
last, lk.tgz, computer, and lk.tar.gz.
Romanian text was found several times in this rootkit. I have not seen
this rootkit before but I believe it has been created out of several other
kits. The sauber shell script for example has been included in several
rootkits already. The system was probably compromised by a massrooter.
Massrooters are semi worms that scan Class B networks for vulnerable
hosts. The scanner often invokes an exploit when it finds a potential
vulnerable host. If the exploit succeeds a rootkit is uploaded to the
system and often an email with system information is sent to a free
hosting email account which is owned by the hacker. The creators of these
kits often do not realize what kind of noise they make when searching for
vulnerable hosts and because all of this is done with a large amount of
systems in a short amount of time these hackers make ALOT of mistakes ;)
Since most of these massrooters are based upon existing exploits using
well known vulnerabilities keeping up to date with the latest patches
often should be enough to counter them.
Bonus Question:
Was the rootkit ever actually installed on the system? How do you know?
The rootkit was installed in /dev/ida/.darg-on and /dev/ida/.. /. In
these directories, the files linsniffer, logclear, mkxfs, s, sense, sl2,
ssh_host_key, ssh_random_seed and tcp.log where installed.
I found a tcp.log file found in one of these directory that contained
some sniffed data so it is very likely that the rootkit was installed
successfully.
Regards,
Niels Heinen
[ Part 2, "S/MIME Cryptographic Signature" ]
[ Application/X-PKCS7-SIGNATURE 4KB. ]
[ Unable to print this part. ]